Barely two months after mysteriously disappearing, the world’s most notorious ransomware gangs seem to be back.
Key takeaways
- Over the last two months, two leading gangs — REvil and Avaddon — had seemingly vanished
- Now, two new ransomware gangs have emerged, with eerily similar characteristics
- It would appear these are REvil and Avaddon making a comeback
- Indicates that despite recent action, global law enforcement action against the gangs has been only partially successful.
Over the past two months, a number of the globe’s most notorious ransomware gangs abruptly ceased operation. We covered these developments in our updates.
Telling clues hidden within the operations of two new ransomware groups suggest several high-profile gangs may not have shut up shop after all.
Two of these groups, REvil and Avaddon, went to ground without explanation.
Another, the DarkSide gang, was similarly tight-lipped in its closure, but later revealed it had lost access to its servers and its cryptocurrency as a result of law enforcement action.
These shutdowns were likely the result of increased pressure and scrutiny following a rising wave of high-profile ransomware attacks, including DarkSide on Colonial Pipeline and REvil on Kaseya and JBS Foods.
However, the disappearance of some of the industry’s biggest operators appears to have been short lived.
Two new ransomware groups have recently emerged on the scene, and their infrastructure and operations suggest they could be phoenixes risen from the ashes of former high-profile gangs.
One security news outlet has already declared the new BlackMatter group a ‘return of DarkSide’, the infamous perpetrators of the Colonial Pipeline hack.
That breach, on the US’ largest fuel pipeline, caused petrol shortages across the southeast of the country and spurred a wave of government and law enforcement action that ultimately saw DarkSide shuttered.
But sardonic name choice aside, the encryption methods used by the new BlackMatter are identical to the unique algorithms used by the former DarkSide group, researchers have found.
BlackMatter is also using similar language and colour themes on its websites, they noted, and at least one of the former actors behind DarkSide has been observed aligning themselves with BlackMatter.
Similarly, an interesting footnote states the group will specifically avoid targeting “the oil and gas industry (pipelines, oil refineries)”.
Other researchers have also noted a striking similarity between BlackMatter and the defunct REvil – BlackMatter itself says it has “incorporated the best features of DarkSide, REvil, and LockBit”.
BlackMatter is of particular concern because of its stated intention to go after big fish: organisations with revenues of more than US$100 million and with between 500-15,000 hosts in their networks. Or, in other words, those more likely to pay out big ransoms.
Another new group to recently surface, Haron, appears to have a lot in common with the former Avaddon gang, one of the most prolific ransomware groups in history.
Avaddon revealed it had compromised almost 3000 victims in just two short years when it voluntarily sent out all the decryption keys to its locked up networks, many located in Australia, in June.
After that, the group went quiet.
But Haron, which appeared not long after, is using much of the same language and website contents and structure as Avaddon – even going so far as to copy paste text and swap out any mention of “Avaddon” for “Haron”.
However, there are some differences – the groups use different types of ransomware, for example – that mean it’s not possible to definitively conclude they are related.
Up in the air
The ransomware industry is a fluid one where gangs are known to share personnel and resources where mutually beneficial.
Affiliate models, as one example, see hackers, ransomware and other infrastructure and services provided to other groups in exchange for a cut of the ransom profits.
Similarly, many ransomware operations actually run on an outsourcer model that pulls in resources where needed, as opposed to a traditional structured organised crime approach; it’s effectively Airtasker for hackers.
Some groups have also been known to copy or mimic the publicly available artefacts of other groups to make up for skill or resourcing gaps.
The emergence of familiar individuals or resources in new ransomware groups is not of itself novel. It’s similarly not uncommon for defunct ransomware gangs to resurface at a later date: in fact REvil itself was launched in 2019 as an offshoot of the former GandCrab gang.
What it does suggest, however, is that the global law enforcement crackdown on this lucrative criminal enterprise is yet to make a substantial dent in its operations.
Needless to say, the complexity described above makes it difficult for law enforcement to identify and shut down individual groups.
The threat, it seems, is far from over.
